On Fri, 2010-07-02 at 10:43 +0200, ext Chris Wilson wrote:
> Fixes:
>
> Bug 27313 - random X11 crash (SIGSEGV) when rendering firefox in
> pixman/intel
> https://bugs.freedesktop.org/show_bug.cgi?id=27313
>
> As pixman does not guard against a fill request outside of the buffer,
> we must be be careful and trim oversized fills.
>
> Signed-off-by: Chris Wilson <[email protected]>
> Tested-by: Michael Stapelberg <[email protected]>
> ---
> fb/fbfill.c | 44 ++++++++++++++++++++++++++++++--------------
> 1 files changed, 30 insertions(+), 14 deletions(-)
>
> diff --git a/fb/fbfill.c b/fb/fbfill.c
> index 801a0d0..fddf042 100644
> --- a/fb/fbfill.c
> +++ b/fb/fbfill.c
> @@ -39,20 +39,37 @@ fbFill (DrawablePtr pDrawable,
> int dstBpp;
> int dstXoff, dstYoff;
> FbGCPrivPtr pPriv = fbGetGCPrivate(pGC);
> -
> + int x1, x2, y1, y2;
> +
> fbGetDrawable (pDrawable, dst, dstStride, dstBpp, dstXoff, dstYoff);
>
> + /* trim fill to drawable bounds */
> + x1 = x + dstXoff;
> + y1 = y + dstYoff;
> + x2 = x1 + width;
> + y2 = y1 + height;
> + if (x1 < 0)
> + x1 = 0;
> + if (x2 > pDrawable->width)
> + x2 = pDrawable->width;
> + if (y1 < 0)
> + y1 = 0;
> + if (y2 > pDrawable->height)
> + y2 = pDrawable->height;
> + width = x2 - x1;
> + height = y2 - y1;
> +
It might make sense to add a clamp() macro to include/misc.h; we already
have min() and max() there and this would make the code more readable.
> switch (pGC->fillStyle) {
> case FillSolid:
> #ifndef FB_ACCESS_WRAPPER
> if (pPriv->and || !pixman_fill ((uint32_t *)dst, dstStride, dstBpp,
> - x + dstXoff, y + dstYoff,
> + x1, y1,
> width, height,
> pPriv->xor))
> #endif
> - fbSolid (dst + (y + dstYoff) * dstStride,
> - dstStride,
> - (x + dstXoff) * dstBpp,
> + fbSolid (dst + y1 * dstStride,
> + dstStride,
> + x1 * dstBpp,
> dstBpp,
> width * dstBpp, height,
> pPriv->and, pPriv->xor);
> @@ -76,9 +93,9 @@ fbFill (DrawablePtr pDrawable,
> else
> alu = FbOpaqueStipple1Rop(pGC->alu,pGC->fgPixel,pGC->bgPixel);
> fbGetDrawable (&pStip->drawable, stip, stipStride, stipBpp,
> stipXoff, stipYoff);
> - fbTile (dst + (y + dstYoff) * dstStride,
> + fbTile (dst + y1 * dstStride,
> dstStride,
> - x + dstXoff,
> + x1,
> width, height,
> stip,
> stipStride,
> @@ -87,7 +104,6 @@ fbFill (DrawablePtr pDrawable,
> alu,
> pPriv->pm,
> dstBpp,
> -
> (pGC->patOrg.x + pDrawable->x + dstXoff),
> pGC->patOrg.y + pDrawable->y - y);
> fbFinishAccess (&pStip->drawable);
> @@ -114,9 +130,9 @@ fbFill (DrawablePtr pDrawable,
> }
>
> fbGetStipDrawable (&pStip->drawable, stip, stipStride, stipBpp,
> stipXoff, stipYoff);
> - fbStipple (dst + (y + dstYoff) * dstStride,
> - dstStride,
> - (x + dstXoff) * dstBpp,
> + fbStipple (dst + y1 * dstStride,
> + dstStride,
> + x1 * dstBpp,
> dstBpp,
> width * dstBpp, height,
> stip,
> @@ -144,9 +160,9 @@ fbFill (DrawablePtr pDrawable,
> fbGetDrawable (&pTile->drawable, tile, tileStride, tileBpp, tileXoff,
> tileYoff);
> tileWidth = pTile->drawable.width;
> tileHeight = pTile->drawable.height;
> - fbTile (dst + (y + dstYoff) * dstStride,
> - dstStride,
> - (x + dstXoff) * dstBpp,
> + fbTile (dst + y1 * dstStride,
> + dstStride,
> + x1 * dstBpp,
> width * dstBpp, height,
> tile,
> tileStride,
_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel
